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Abstract. We consider the problem of recovering a hidden ele- 
^ . ment s of a finite field ¥q of q elements from queries to an oracle 



^ ' that for a given x €¥q returns {x + for a given divisor e | q—1. 

We use some techniques from additive combinatorics and analytic 
number theory that lead to more efficient algorithms than the naive 
interpolation algorithm, for example, they use substantially fewer 
queries to the oracle. 



u 
u 

c/j ■ 1. Introduction 

O ■ 

1.1. Set-up and Motivation. Let Fg be a finite field of q elements. 
^ . For a positive integer e \ q — 1 and an element s G Fg we use (9e,s an 

^ [ oracle that on every input a; G F^ outputs Oe,s{x) = {x + sY for some 

^ I "hidden" element s G Fg. 

OO ■ Here we consider the Hidden Shifted Power Problem: 

given an oracle (9e,s for some unknown s G Fg, find s. 

We also consider the following two versions of the Shifted Power 
Identity Testing: 

given an oracle (9e,s for some unknown s G Fg and known 
t G Fg, decide whether s = t provided that the call 
X = —t is forbidden; 



X 

. F^. , and 



given two oracles Oe^s and Oe,t for some unknown s,t E 



Fg decide whether s = t. 



Certainly these problems are special cases of the more general problems 
of oracle (also sometimes called "black-box" ) polynomial interpolation 
and identity testing for arbitrary polynomials, see [4J and references 
therein. 

We note that giving the values of {x + sY is fully equivalent (modulo 
solving a discrete logarithm problem in the subgroup of Fg of order 
(g — l)/e) to giving the values of xi^ + -s) for some fixed multiplicative 
character x of F*, see [HI |22l [38], where several classical and quantum 
algorithms for this and some other similar problems are given. The 
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Hidden Shifted Power Problem, under the name of Hidden Root Prob- 
lem, has also been re-introduced by Vercauteren |33] in relation to the 
so-called fault attack on pairing based cryptosystems on elliptic curves. 

In the case when has a subfield of an appropriate size some ap- 
proaches to solving the Hidden Shifted Power Problem have been given 
in [l3]. Here we concentrate on the case of prime fields. 

For a prime q = p > 3 and e = {p — l)/2 the Hidden Shifted Power 
Problem has several other links to cryptography, and been considered 
in a number of works, see [H |21 121] and references therein. 

Furthermore, although for application to pairing based cryptography 
we usually have to solve the Hidden Shifted Power Problem in extension 
fields q = p^ with A; > 1, it has been shown by Koblitz and Menezes [31] 
that there are elliptic curves that lead to the case oi q = p. 

Certainly the most straightforward approach is to query Oe^s on e + 1 
arbitrary elements x G and then interpolate the results. Using a fast 
interpolation algorithm, see |27] leads to a deterministic algorithm of 
complexity e(logg)'^*^^''. For the Shifted Power Identity Testing, there 
is also a trivial probabilistic algorithm that is based on querying Oe^s 
(and Oe,t) at randomly chosen elements x G Fg. 

Here we mainly concentrate on the case of a prime q = p > 3- For 
the first variant of the Shifted Power Identity Testing (that is, when) t 
is known, using p, Theorem 1] (see also [10]) that gives an upper bound 
on the intersection a conjugacy class of a subgroup of F* with a set of 
Farey fractions of a given order, we can obtain a faster algorithm of 
complexity e^^^p"^^-', where o(l) always, if the opposite is not indicated, 
denotes a quantity that tends to zero as p — )■ oo. 

Here we obtain further improvements and in particular show that 
there is an algorithm of complexity e^^^p"^^^ for any e < {p — l)/2. 

The second question, that is, when t is unknown, seems to be harder, 
however we also obtain an improvement of the trivial interpolation 
algorithm and show that it can be solved by an algorithm of complexity 
g2/3po(i) g^j^y ^ ^ ^p — l) / 2 . Morcovcr, if e = p"^^^ then we can achieve 
complexity e°^^\logp)'^^^\ 

1.2. Our Approach. Let Qe ^ IF* be the multiplicative group of order 
e \ q — 1, that is, 

e?e = {/UGF, : /i^ = l}. 
We now define the polynomials 

F,4X) =Y[{X + s-fi{X + t)). 
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Our approach is based on the idea of choosing a small "test" set X, 
which nevertheless is guaranteed to contain at least one non-zero of the 
polynomial Fg^t for any s ^ t. This is based on a careful examination 
of the roots of Fg^t and relating it to some classical number theoretic 
problems about the distribution of elements of small subgroups of finite 
fields. 

Clearly, if Fs^t{x) = for some x G F* then 

X + s ^ 

(provided x + t ^ 0). If t is known, then we can choose the "test" set 
X in the form 

(2) A: = {y-^-t : yey} 

for some set 3^ C F*. Then the condition ([T]) means that a shift of 3^ 
is contained inside of a coset of Qe, that is 

(3) y + rC rQ, 

where r = {s — t)^^ . 

So our goal is to find a "small" set 3^ C F* such that its shifts cannot 
be inside of any coset of Qe (we note that the value of r is unknown). 
Questions about the distribution of cosets of multiplicative groups have 
been considered in a number of works and have numerous applications, 
see [33] and also P[8l[T2l|9l[ni[39lllIlll2] for several more recent 
results and applications to cryptographic and computational number 
theory problems. 

Here we concentrate on the case of prime fields, that is, when q = p 
is prime, where the tools we use are most developed and have rather 
sharp and explicit forms. This allows us to get a series of nontrivial 
estimates for both versions of the Shifted Power Identity Testing. 

The idea is to choose 3^ as a short interval of h consecutive inte- 
gers and to define A" by ([2]). We then use a combination of results of 
Cilleruelo and Garaev [18] with the classical Burgess and Weil bounds 
(see [30] ) to show that ([3]) fails (for some integer h significantly smaller 
than e). 

Furthermore, for small values of e (for example, for e = we 
obtain much stronger results and develop a new technique, which is 
based on several tools of commutative algebra and additive combina- 
torics. For example, we combine an explicit version of the Hilbert's 
Nullstellensatz, see [331 Theorem 1], with a generalisation of a result 
of [9]. 
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For the Hidden Shifted Power Problem we have not been able to 
improve on the interpolation approach. However, assuming that ora- 
cle calls are expensive, one can consider algorithms that minimise the 
number of such calls, that is, algorithms of low oracle complexity . Here 
we use a result of [40j in a combination of some new bounds of charac- 
ter sums that are based on some ideas of Chang [16] to design several 
algorithms that require substantially less than e oracle calls that are 
needed for the interpolation approach. 

Here we concentrate on the case of prime g = p as in the general case 
several tools that exist in prime fields are unfortunately not available. 

Besides concrete results we believe the present paper also introduces 
a number of new techniques to this area that can probably be used in 
several other questions. 

1.3. Notation. Throughout the paper, the letter p always denotes a 
prime; k, m and n (as well as K, M and A^) always denote positive 
integers. 

Any implied constants in symbols O, <^ and ^ may occasionally 
depend, where obvious, on the integer parameter u and the real positive 
parameters e and S, and are absolute otherwise. We recall that the 
notations U = 0(y), U V and ^ t/ are all equivalent to the 
statement that \U\ < cV holds with some constant c > 0. 

For a field F, sets Ai, . . . , Am ^ F and a rational function 

F(Xi,...,X„) gF(Xi,...,X„), 

we define the set 

F{Ai, Am) = {F{ai, ...,am) ■ ai G A, . . . , G Am} 

(where the poles are ignored or alternatively the function F can be 
defined as zero at its poles). In particular, for an integer u, A^'^'' de- 
notes z/-fold product sets. However, we reserve the notation uA for the 
element-wise multiplication by u, that is, uA = {ua : a G A}. We 
also reserve A" for the i/-fold Cartesian product of A. 

2. Tools from Analytic Number Theory, Polynomial 
Algebra and Arithmetic Combinatorics 

2.1. Finding and Bounding the Number of Solutions of Some 
Congruences. We start with the bound of Cilleruelo and Garaev [18| 
Theorem 1] on the number of points of modular hyperbolas in small 
boxes. 
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Lemma 1. Uniformly over integers u and v with gcd(f,p) = 1, the 
congruence 

{x + u){y + u) = V (mod p), 1 < x,y < H, 
has at most ij3/2p-i/2 _|_ ^o(i) solutions as H ^ oo. 

We also need an estimate from [19] that follows from a combination 
of a result of Garaev and Garcia [25] (or a slightly weaker result of 
Ayyad, Cochrane and Zheng [2| Theorem 1]) and Lemma [H 

Lemma 2. Uniformly over integers a and H with gcd(t',p) = 1, the 
congruence 

{a+Xi){a+X2) = {a+x^){a+X4) (modp), 1 < 0:2, X3, 0:4 < if, 

has H^/p + 0(if^+°(^)) solutions as H ^ 00. 

The following result for m = 1 is due to Garcia and Voloch [2B] ; an- 
other proof, with different constants, based on the method of Stepanov, 
can be found in [331 Lemma 3.2]. For any fixed m > 1 it follows in- 
stantly from [iQl Lemma 4.1] by taking s = l, t = e, k = m and 

B = [ti/(2fc+i)J + 1. 

Lemma 3. Assume that for a fixed integer m > 1 we have 

p > (2m [e^/(2™+i)J + 2m + 2) e. 

Then for pairwise distinct /ii, . . . , fi^n £ IF* and arbitrary Ai, . . . , G 
F* the bound 

# {Ge n {XiGe + /ii) n . . . n {X^Ge + t^m)) « e('"+i)/(2'"+i) 

holds, where the implied constant depends on m. 

For X G Fp, we denote by |x| the minimum of absolute values of 
integers in the residue class of x modulo p. We say that a set C Fp 
is A-spaced if |cii — ^2! > A for any two distinct elements (ii, c/2 G V. 

We now need a version of [IHl Lemma 7] . 

Lemma 4. LetQ < P <l/2,X = [l,p^] and letV C Fp be a pl^ -spaced 
set of cardinality jj=-T> = Then for any e > and sufficiently small 
Pi, . . . , /3j and sufficiently large p, the number of solutions w{u) to the 
congruence 

X + d = uzi . . ■ Zj (mod p), 

with 

{x,d,zi, . . . ,Zj) el xV X Ji X ... X Jj, 
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[l,^''*], i = 1, . . . ,j , satisfies the bound 

Corollary 5. Let S ¥p be set of cardinality = Then un- 
der the conditions of Lemraa\^ the number of solutions w{u, v) to the 
systems of congruences 

X + d = uzi . . . Zj (mod p) and x + s = vzi ■ ■ ■ zj (mod p) 
with 

{x,d,s,zi, . . . ,Zj) el X V X S X Ji X . . . X Jj, 
satisfies the bound 

Y W{u,vy «p"+/3+''+-(V(l-/3)+l)+^. 

2.2. Finding Solutions to Binomial Equations. 

Lemma 6. Let G be a group of order m, and let d be relatively prime 
to m. Let a E G. Then the equation x'^ = a has the unique solution 
X = where df = 1 (mod m) . 

This is the first part of [3l Theorem 7.3.1]. 

Now we consider equaitons x^ = a in groups in the case when r 
is a prime dividing the order of the group. Considering the cyclic 
group of order m, we do not assume that we are given a generating 
element of the group. Instead, we assume that there is an oracle which 
gives some unique label to every elements of G and also that given 
a,b E G computes the product of these elements in time (logm)'^'^^^ 
A natural example is the multiplicative group F*. The following result 
is implicitly contained in [Sj Theorem 7.3.2]. 

Lemma 7. Let G be the cyclic group of order m, and let r be a prime 
dividing m. Given an element b E G so that the equation = b has 
no solutions in G, for any a E G there is a deterministic algorithm to 
find all solutions of the equation x"^ = a in time r{\ogm)^^^\ 

Although the algorithm analysed in [31 Theorem 7.3.2] is probabilis- 
tic, is easy to see that the only place where the randomisation is used 
is in finding b satisfying the conditions of Lemma [71 

Subsequently, applying Lemma [7| we get the following: 



where Ji = 



where 
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Lemma 8. For a prime p, a positive integer e \ p — 1 and A G ¥p, 
given i-th power nonresidues for all prime divisors I \ e, there is a 
deterministic algorithm to find all solutions of the equation = A in 
time e{\ogp)'^^^\ 

Now we consider the solutions of the equation x"^ = A satisfying 
restrictions. Let £ be a prime divisor of e. For a positive integer a, we 
write £"||e if | e and f""*"^ \ e. By indx we denote the index of an 
element x G F* with respect to a fixed primitive root g modulo p, that 
is the unique integer z e — 1] with x = g^. 

Lemma 9. For a prime p, A & ¥p, and a prime i with i^Wp — 1, there 
is a deterministic algorithm to find all solutions of the equation x^ = A 
satisfying \ indx in time ^{\ogp)^^^\ 

Proof. It is enough to apply Lemma [6] to the group G = {a; G F* : \ 
indx} of order {p — 1)/^° not divisible by £. □ 

Lemma 10. For a prime p, A & ¥p, for a prime divisor i \ p — 1 
with i"'\\p — 1 and a nonnegitive integer P < a, given an i'^'^^-th power 
nonresidue, there is a deterministic algorithm to find all solutions of 
the equation x^ = A satisfying \ indx in time £{logp)'-^^^\ 

Proof. Let a be an i'^'^^-th power nonresidue. Then inda for some 
7 < /3. Hence, indfe for h = a^^ ^ . Then we can apply Lemma [7] to 

G = {x G F; : \ indx} 

and r = i. □ 

Subsequently applying Lemmas M and [TU] we get the following. 

Lemma 11. Let p be a prime and e \ p — 1. For any prime divisor 
i I e with E"-^\\p — 1 we take either 7^ = or 7^ < so that we are 
given an P'^^^-th power nonresidue. Let 

n= JJ 

I prime 

and A G Fp. Then there is a deterministic algorithm to find all solu- 
tions of the equation x^ = A satisfying n \ indx in time e{\.ogp)'^'^^^ . 

Lemma 12. Assume that p,e,n satisfy the conditions of Lemma [771 
Let Aq, . . . , An E ¥p. Then there is a deteministic algorithm to find all 
solutions of the system of equations 

{x + jy = Aj, j = 0,...,n, 

in time e(logp)'-'^^^n'^^^\ 
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Proof. If Aj = for some j, then there is nothing to prove. We consider 
that Aj 7^ for all j = 0, . . . , n. Let x be any solution of the system. 
By the pigeonhole principle, there are ji ^ j2 so that 

ind(x + ji) = ind(x + ^2) (mod n), 

or, equivalently, n \ indy for y = {x + j2)/{x + ji). We can extract all 
such X satisfying the above system of equations by applying Lemma [TT] 
to the equation y"^ = Aj^/Aj^ and testing all possible values of 

J2 - ji 

y- 1 

To complete the proof, we simply try all pairs (ji, ^2) with < ji < 
j2 <n. □ 

2.3. Smooth Numbers and Their Reductions Modulo p. Let 

x,y > 0. A positive integer n is called y-smooth if it is composed of 
prime numbers up to y. The \E'(x, y) function is defined as the number 
of y-smooth positive integers that are up to x. 

We know the following estimate for \E'(a;,?/), see [28', Corollary 1.3]: 

Lemma 13. Let x > y > 2 and u = (logx)/ logy. For any fixed 6 > 
we have 

as y and u tend to infinity, uniformly in the range y > (logx)^"^*^. 

Corollary 14. Let < e < 1/2 he fixed and p he a prime. Then the 
order of the suhgroup of¥p generated hy {1, . . . , [p^J}, is at least pe~^/^ 
for some ahsolute constant c > 0. 

Proof. Let x = p — 1 and y = [p^J . Also, let Ti be the subgroup of F* 
generated by {1, ... , y}. If y < (logp)^ then the result follows from the 
trivial estimate > 1. Assume that y > (logp)^. Observe that all 
y-smooth numbers belong to H. Hence, > \E'(x,?/), and the result 
follows from Lemma [T3l □ 



2.4. Combinatorial Estimates. We need the following result about 
covering an arbitrary set 5 C Fp by i/p/3-spaced sets. 

Lemma 15. Let p > 37, k > and ^ = |_a/pJ ■ Then any set S C¥p 
of size > 16p^'^ contains disjoint suhsets V^, k = 1, . . . ,K, and Sg, 
i = 1, . . . , L, such that 

(i) > 0.25^--^ k = l,...,K,i=l,...,L; 

(ii) Vk is a ^/p/S-spaced set, k = 1, . . . , K; 

(iii) C,Se is a ^/p/S-spaced set, i = 1, . . . ,L; 

(iv) # {S \ {So U Si)) < 2p-^i^S, where So = uf^^Pfc, Si = ut.Se. 
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Proof. Let U = Extract from S a maximum (that is, not 

extendable any more) collection of disjointed [/-spaced sets Vk with 
> A; = 1, . . . , X and denote 

r^s\So 

where, as before, Sq = U^^{Dk. 
Clearly 

rc [j{x+i), 

for X^= [-U, U] and some [/-spaced set A' C Fp with #A' < (#5)^^^ 
Let £ = 1, . . . , L, be the collection of the sets T O {x + 1), x e X, 
for which # (r n (x + X)) > p"'^ (#5)^/^ 

The total size of the remaining sets Tn (x -|-X), x e A", is at most 

Now we take disjoint subsets C Si so that 

L L 

i=i i=i 

Thus, for any £ = 1, . . . ,L the set Se is formed by all elements of a; G 
belonging to no other sets x e £j and some elements shared by £i and 
another set Sj. 

Any element x E¥p belongs to at most two sets £(. Moreover, any 
set £e can have common elements with at most two sets £j. li i < j 
and Ei and £j have n common elements, we send [n/2j of them to Si 
and other [n/2] elements to Sj. We obtain a collection of disjoint sets 
Se of size 

^Se > m,/2 - 1 > p-*^ {4Sf'^ /2 - 1 > 0.25p-« {i^Sf^ , 

for £ = 1, . . . , L. 

Hence, with S\ — Uf^-^^S^, we have 

#(5\(cSoU5i))<p-'^#5. 

Since p > 37, we have 

2C/(e + 1) < (2Vp/3)(VP + 1) < (v^ - + 1) < P, 

or 2U X ^ < p — U. Also, ^ > U. Therefore, the set is [/-spaced, 
and certainly the set ^Se is also [/-spaced for every £ — 1, . . . , L. D 
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2.5. Bounds of Multiplicative Character Sums. We need the fol- 
lowing very special case of the Weil bound on sums of multiplicative 
characters (see |30l Theorem 11.23]). 

Lemma 16. For an arbitrary integer h with 1 < h < p, a positive 
integer f and a nonprincipal multiplicative character x of¥*, the bound 



J2x{x' + h)=0{fp'/') 



x=l 



holds. 



Also, we need an estimate for character sums including both multi- 
plicative and additive characters (see [35l Chapter 6, Theorem 3] or [HI 
Appendix 5, Example 12]). 

Lemma 17. Let xi, ■ ■ ■ ,Xr be characters modulo p, and at least one of 
them is nonprincipal and let f{X) G Fp[X] be an arbitrary polynomial 
of degree d. Then for any distinct G F„ we have 



^ Xi(a; + fli) • • • Xrix + ar) exp {2mf{x)/p) 



xGF„ 



< (r + d)p^/'^. 



The standard reduction of incomplete sums to complete ones (see [30l 
Section 12.2]) together with the bound of Lemma fTTl lead to the fol- 
lowing estimate: 

Lemma 18. For an arbitrary integer h with I < h < p, distinct el- 
ements s,t G Fp and a nonprincipal multiplicative character x of¥*, 
the bound 

x=l 

holds. 



The following result is a combination of the Polya- Vinogradov (for 
u = 1) and Burgess (for z/ > 2) bounds, see [501 Theorems 12.5 and 
12.6]. 



Lemma 19. For an arbitrary integer h with 1 < h < p, and a non- 

zter X of F*, the bourn 

< l^l-l/v^{v+l)/iv'+o{l) 



principal multiplicative character x of F*, the bound 



y=l 

holds with an arbitrary positive integer v. 
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We use X to denote the complex conjugate character to x- The 
following estimate is a generalisation of [Ml Theorem 8]. 

Lemma 20. Let Q < {3 < 1/2, 1 = [0,/]. Let V C ¥p be a 
spaced set of cardinality jj^T> = and let S (^¥p be set of cardinality 
T^iS = p°'. For any 6 > there is some rj > such that if 

2(3 



2/3 + a + a- 



1-/3 



>l + 6 



then for any nontrivial multiplicative character x of ¥* we have 



EE 

dev ses 



"^Xix + d)x{x + s] 



Proof. We can assume that 6 is sufficiently small. Take a sufficiently 
large j and set 

;3- A 



o 



and 



7 



J + 1 



and consider the intervals J' = [l,p'^] and j7o = [1,J9'^°]. It is easy to 
see that 



EE 



^Xix + d)xix + s) 



EE E 



E 



dev seS zi,...,zjej 
X + d 



J2x 

teJo 



Zi . . . Zj 



+ t X 



X + s 



t 



Zi... Zj 

_|_ pOi+u+l3o+jl 



Now, invoking Corollary [5] and using the same argument as in the proof 
of [Ml Theorem 8] we obtain the desired result. □ 

Lemma 21. Assume that a > 0, 6 > and < (3 < 1/2 — 6 satisfy 



2/3 + a 



3-4/3 



>l + 5. 



2-2/3 

Let iS C Fp be of cardinality jj^S = p°' and let X = [0,p^]. We denote 

and define ( by the conditions 

= 1 (mod p) and 1 < ( < p. 
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There is a partition 

S = %uri and 7^ n Ti = 
such that for any nontrivial multiplicative character x of F* we have 



Y.^{Cx + s,)x{Cx + S2) 



« #X(#5)V 



Z/ = 0,1, 



for some r] > that depends only on 5. 

Proof. We consider that p is so large that p > 37 and p^ > 3. Then 
< a/p/3. We take k = 5/10 and define set Sq and 5i as in Lemma ITSl 
We now put 7i = 5i and then define % = S \ Ti. 
Then in the notation of Lemma [15] we have 



E 

si,S2G7o 



^x(x + si)x(a; + S2' 



E 

5i,s2e5o 

A' 



+ O ((#S)2#Ip-'') 



= EEE 

K 

sEEE 



^X{x + d)x{x + s] 



'^X{x + d)x{x + s] 



O {{i^Sfi^Xp-^) 



+ o{{i^syi^ip-^) 



Since Vk is a p^-spaced of cardinahty ^X'fc > with o" = a/2 — k, 
/c = 1, . . . , /T, we see that the conditions of Lemma [20] are satisfied, 
which imphes the desired bound for the set So- 
For the set 7i we write 



E 



^xiCx + Si)x{Cx + S2] 



E 



^X{x + ^si)x{x + ^82] 



and then proceed as before, applying Lemma [20] with S replaced by 
the set ^S. □ 

2.6. Quantitative Result on Polynomial Ideals. We recall the fol- 
lowing quantitative version of the Bezout theorem, that follows from a 
result of Krick, Pardo, and Sombra [34i Theorem 1] (that improves a 
series of previous estimates). 
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We recall that the logarithmic height of a nonzero polynomial P G 
Z[Zi, . . . , Z„] is defined as the maximum logarithm of the largest (by 
absolute value) coefficient of P. 

Lemma 22. Let Pi, . . . , P/v ^ '^[Zi-, ■ ■ ■ , Zn] be N > 1 polynomials in 
n variables without common zero in of degree at most D > 3 and of 
logarithmic height at most H. Then there is a positive integer b with 

log b < c{n)D'^ {H + log + D) 

and polynomials . . . , Pa? G Z[Zi, . . . , Zn] such that 

PiRi + ... + PnRn = b, 

where c{n) depends only on n. 

Using the classical argument of Hilbert we obtain the following ver- 
sion of the NuUstellensatz (see [7] for several similar results and further 
references) . 

Lemma 23. Let Pi, . . . , P^r, / G Z[Zi, . . . , Z„] be N + I > 2 polyno- 
mials in n variables of degree at most D > 3 and of logarithmic height 
at most H such that f vanishes on the variety 

Pi(Zi, . . . , Zn) = . . . = P/v(Zi, . . . , Zn) = 0. 

There are positive integers b and r with 

log 6 < C{n)D''+^ [H + log + D) 

and polynomials Qi, ■ ■ ■ ,Qn £ Z[Zi, . . . , Z„] such that 

PiQi + . . . + PmQn = bf\ 

where C{n) depends only on n. 

Proof. We consider + 1 polynomials 

Po = l-Tf and P,=TP„ j = l,...,N, 

in Z[Zi, . . . , Zn,T]. By the assumption on /, they have no common 
zero. Hence, by Lemma [22] we get 

(1 - Tf)Qo + TP,Q, + ... + TPnQn = b 

for some polynomials Qo^Qi, ■ ■ ■ ,Qn ^ Z[Zi, . . . , Z„] and a positive 
integer b satisfying the desired inequality. Replacing T by 1// and 
clearing the denominators we obtain the desired relation. □ 

Finally, we need a slightly more general form of a result of Chang [15j . 
In fact, this is exactly the statement that is established in the proof 
of [151 Lemma 2.14], see [151 Equation (2.15)]. 
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Lemma 24. Let Pi, . . . , Pn, P e Z[Zi, . . . , Zn] be N + 1 > 2 polyno- 
mials in n variables of degree at most D and of logarithmic height at 
most H > 1. If the zero-set 

Pi{Zi,...,Zn) = ... = PN{Zu...,Zn) = and P(Zi, . . . , Z„) ^ 

is not empty then it has a point . . . , in an extension K o/ Q 
of degree [K : Q] < Ci{D, N,n) such that the minimal polynomials are 
of logarithmic height at most C2{D, N,n)H , where Ci{D, N,n) and 
C2{D, N,n) depend only on D, N and n. 

Finally, we recall the following well-known result, see, for exam- 
ple, [271 Theorem 6.32]. 

Lemma 25. Let P,Q & Z[Z] be two univariate non-zero polynomials 
with Q \ P. If P is of logarithmic height at most H > 1 then Q is 
of logarithmic height at most H -\- 0(1), where the implied constant 
depends only on degP. 

2.7. Product Sets in Number Fields. Let K be a finite extension 
of Q and let Zr be the ring of integers in K. We denote by 'H(7) the 
logarithmic height of 7 G K. We recall that the logarithmic height 
of an algebraic number a is defined as the logarithmic height of its 
minimal polynomial. 

For an integral ideal o of we denote by Nm (a) the norm of a, 
that is, the cardinality of the residue ring Z^/oZk. We also use Nm (a) 
to denote the norm of a G Z^. In particular Nm (a) = Nm ((a)) where 
(a) denotes the principal ideal generated by a. 

First we recall the following well-known bound, which follows imme- 
diately from [371 Lemma 4.2] and the classical bound on the divisor 
function. 

Lemma 26. LetK. be a finite extension ofQ of degree d = [K : Q]. For 
any integer N > 3, inK. there are at most exp (0(log A^/ loglog A^)) 
integral ideals of norm N, where the implied constant depends on d. 

We also need a bound of Chang [15, Proposition 2.5] on the divisor 
function in algebraic number fields. 

Lemma 27. Let K be a finite extension ofQ of degree d = [K : Q]. For 

any algebraic integer 7 G Z/^ of logarithmic height at most H > 2, the 
number of pairs (71,72) of algebraic integers 71,72 G of logarithmic 
height at most H with 7 = 7172 is at most exp {0{H/ log H)) , where 
the implied constant depends on d. 

We now derive the following generalisation of [9l Lemma 2]. 
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Lemma 28. Let K 6e a finite extension of Q of degree d = [IK : Q]. 
Let A, B C K be finite sets with elements of logarithmic height at most 
H . Then we have 

i^{AB) > exp (-c{d)-^) i^Ai^B, 
where c{d) depends only on d. 

Proof. We fix some maps 0(7) and 6(7) (not necessary uniquely de- 
fined) that for an algebraic number 7 G K produce relatively prime 
ideals 0(7), 6(7) G Zr of norm exp (O (7^(7))) with 

iKl) = ci(7)- 

We also use Ch to denote the set of elements of K of logarithmic 
height at most H. 

Clearly if the ideals a(7) = a and 6(7) = b are fixed then 7 is 
defined up to a multiplication by a unit. Thus as in the proof of [151 
Proposition 2.5] we see that for any integral ideals o and b we have 

(4) 4^{ieCH : a(7) = a, b(7) = b} = exp (O (///log if)) . 

Denote 

Ml = exp (ci{d)— ] and M2 = exp ( C2{d)- 



for certain constants Ci{d), C2{d) > that depend only on d. 

We claim that for an appropriate choice of ci{d) and C2{d) there is a 
subset ^0 ^ '^H of cardinality 

(5) #A > M-'^^'^'^'^^fA = exp f-2-=£=^ #^ 



and two integral ideals Si and S2 such that SiAo C 52-4. and for any 
integral ideal m with Nm (m) > Mi , we have 

2 

(6) # {7 G A : m I a(7) or m | b(7)} < 

The construction is straightforward. For a real positive R we denote 
= {7 G K : Nm (a(7)b(7)) < R} . 
Hence Ch ^ where 

(7) R = exp (O (H)) . 

If Ao = A does not satisfy ([6]), there is an integral ideal nxi G Z with 
Nm(mi) > Ml and a subset ^1 C i^j:j/Nii^(^^) ^ £r/Mi of cardinahty 

#^1 > M2"^#^ and such that 
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• either 

tni^i C A 

• or 

Ai C miA. 

Repeat with A replaced by Ai until, after performing k steps, we 
obtain a subset Ak ^ Sj^j^j-k such that SiAk ^ S2A for some two 
integral ideals Si and $2 and such that holds with Ak instead of 
Assuming that Ak is the first set with this property, we derive 



1 1 

- M2 ~ M| 



Since we obviously have R > M^, we see from ([7]) that k <^ H/ log Mi 
which implies (E]) provided that 

ci{d) = ^C2{d). 

We now use a similar argument to choose a subset Bq C Cj^ of 
cardinality 

(8) #^0 > M2~'^/ #S > exp f-2 ] #i3 



and two integral ideals ti and t2 such that tiBo C t2;B and for any 
integral ideal m with Nm (m) > Mi, we have 

2 

# {7 e So : m I a(7) or m | 6(7)} < — 

We now establish a lower bound on ^ (AqBo). 
Given 7 G £h, denote 

A(7) = {^eA : Nm (gcd(a(^9),b(7))) <Mi, 

Nm (gcd(b(79),a(7))) < Mi}. 

We now recall the well known bound on the divisor function 

(log2 + o(l))-^— 
log logm^ 

which is also a special case of Lemma [271 

As in the proof of P Lemma 2], we note that the bounds ([6]) 
and Lemma imply that, for a sufficiently large H, 

* < -|#Aexp (o (j^)) < i#A 

for an appropriate choice of C2{d) in the definition of M2. 
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Defining -60(7) in a similar way, we conclude that 

(10) #A(7) >^#A and #So(7) > ^#^0 

for every 7 G 
We have 

# (AB) > # (Ai3o) > # ( U {^/^ ^ ^ ^o(^)} 
Using (ITUl) we conclude that 

(11) #(^i3)>^#A#i3o, 
where 

L = max#{(^,p) : ^ G A, P G So(^9), = 7} • 

It remains to bound L. 
Since 

a(i9)a(p)b(7) = b(t9)b(p)a(7), 
it follows from the definition of Bo{a) that a{'d) = qm for some integral 
ideal (q) dividing 0(7) and integral ideal m with Nm (m) < Mi. We 
recall that there are 0{Mi) integral ideals of norm at most Mi, see [371 
Proposition 7.10]. Hence by ([9]) and Lemma [26| there are only at most 
Ml exp (O (/// logiJ)) possible values that can be taken by the ideal 
a(^). 

Similarly, estimates also hold for the number of possible values that 
can be taken by a(p), b{{}) and b(p). 

We now recall that all elements ^ E Aq satisfy Si^ = rj52 with 'd G Ch 
and fixed integral ideals Si and S2. We also have a similar property for 
all elements p G i3o('i9) C Bq. Therefore, using (jl]), we derive 

(12) L< Mf exp (o [7^] ] < exp ( 5ci(rf)- ^ 



provided that H is large enough. Substituting ( fT2l) in (fTTl) . and us- 
ing dS]) and dH]), we conclude the proof. □ 

We also have a full analogue of [HI Corollary 3] 

Corollary 29. Let K. be a finite extension of Q of degree = [K : Q]. 
Let C C K. be a finite set with elements of logarithmic height at most 
H >2. Then we have 

> exp (^-c(rf,z.)^=£=) (#C)^ 
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where c{d,v) depends only on d, and v. 

2.8. Resultant bound. Let > 2 be an integer. For integers n, m 
with 2 < n, m < I/, we define the (n+m — 2) x (m — 1) matrix A{y\ n, m) 
as follows: 

/ z/-n + l iy-n + 2 ... p ... \ 

u-n+1 ... u-1 V 0... 

y — n-\-l v — n-\-2 v j 

Note that each row of A{y] n, m) contains m — 2 zeros. 

Lemma 30. Let 2 <n.,m <v he integers. Ij in the (n + m — 2) x (n + 

m — 2) matrix 

we mark n + m — 2 nonzero elements such that each row and each col- 
umn contains exactly one marked element then the sum of the marked 
elements is always equal to 

a ^ (u - n + l)(m - 1) + u{n - 1). 

Proof. Let 

X(z/;n, m) = {xij)i<ij<n+m-2 

where i indicates the row. Since the sum of the diagonal elements of 
n, m) is equal to {u — n + l){m — 1) + ^{n — 1), it suffices to prove 
that the sum of the marked elements does not depend on the choice of 
marking. To see this, we transform the matrix X{i'; n, m) into a matrix 

y(i/;n,m) = (|/ij)i<ij<n+m-2 

as follows 

• If Xi^j = 0, then we put y^j = 

• If Xij ^ 0, then we put 

{Xij + n + 2i — 1/ — 1, for 1 < i < m — 1, 
Xij + 2i — u, ior m < i < n + m — 2. 

Since the marked elements occur in each row exactly once, from this 
transformation of m) into y(i/;n, m) the sum of the elements 
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at the marked positions changes only by 

m—1 n+m—2 

=^(n + 2i - z/- 1) + ^ {2i-v) 

1=1 i=m 

(13) "+™-2 
= (n - l)(m - 1) - z/(?2 + m - 2) + 2 ^ i 

i=l 

= {n — l)(m — 1) — z/(?2 + m — 2) + (n + m — l)(n + m — 2) 

and in particular does not depend on the choice of the marking. There- 
fore, it suffices to show that the corresponding marked elements of 
y(z/; n,m) does not depend on the choice of marking. But this follows 
from the observation that when Xij ^ 0, we have that 

yi,j = i + 3- 

Hence, the sum of the corresponding marked elements of Y{v] n, m) is 
equal to 

= 2(1 + . . . + (ra + m - 2)) = (ra + m - l)(n + m - 2) 

and does not depend on the choice of marking. Since (72 — cti = a, the 
result now follows. □ 

In particular, since n,m < u, the sum a of the marked elements in 
Lemma [30] is monotonically increasing function of m. So replacing m 
with u we derive 

cr < (z/ - n + l)(z/ - 1) + z/(n - 1) = z/(z/ - 1) + n - 1 < z/^ - 1. 

Corollary 31. Let M > 1 and let 2 < n,m < u be fixed integers. Let 
Pi{Z) and P2{Z) be polynomials 

n— 1 m—1 

P^{Z) = aiZ' and P2{Z) = ^ kZ' 

i=0 i=0 

such that 

ttn-i, bm-1 7^ and \ai\, \bi\ < M"'', i = 0, . . . , z/ — 1. 
Then 

|Res(Pi,P2)| <M^'-i. 

Proof. We recall that 



Res(Pi,P2) = det 



A 
B 
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where 



A 



( fln-l 





(1\ QiQ 





ao 



\ 





V 







a, 



n— 1 



and 



B 







-'m—l 



hi bo 
... h 





bo 



ai ao / 

... \ 
... 



bi bo J 



... . 

The result now follows from the representation of the determinant by 
sums of products of its elements and Lemma [301 □ 

2.9. Product Sets in ¥p. We believe the results of this section can 
be of independent interest and have several other applications. For 
example, the following result in the case u = 4 solves an open problem 
from [TSl. 



Lemma 32. Let u > 1 be a fixed integer, A ^ (mod p). Assume that 
for some sufficiently large positive integer h and prime p we have 

h < j9Vmax{i/2-l,l}^ 

Then for any s G Fp for the number Ju{X; h) of solutions of the con- 
gruence 

{xi + s) . . . {xu + s) = \ (mod p), 1 < Xi, 
we have the bound 

\ogh 



Ju{^', h) < exp I c(z/ 



log log h 



where c{v) depends only on v. 



Proof. We note that for u = 1 the result it trivial and we prove it for 
z/ > 2 by induction on u. 

Let e < 1 be a sufficiently small positive number, to be chosen later. 
We split the interval [l,h] into intervals of length at most eh. 

Then for some collection Xi,...,I^ of these intervals, we have the 
bound 

(14) M\;h) < \l/err, 

where J* is the number of solutions of the congruence 

(15) (xi + s) . . . (x^ + s) = \ (mod p), Xi G Ii, . . . , x^ e Z^. 
Thus, it suffices to prove the desired bound for J*. 
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We can assume that J* > v\. In particular, we can fix two solutions 
(xi, . . . , Xi,) = (ai, . . . , a^,) and {xi,. . . ,Xy) = . . . , b^) of ([IS]) such 
that the polynomial 

Po{Z) = {ai + Z)... (a, + Z)-{b, + Z)... {h, + Z) 

is not a zero polynomial. Since 1 < ai,bi < h, this implies that -Po(^) is 
not a zero polynomial modulo p. In particular, Po{Z) is not a constant 
polynomial. 

We note that by the induction hypothesis, the set (xi, . . . , Xj.) of 
solutions of the congruence f[T5|) for which Xi G {61, . . . , 6;^} for some i, 
contributes to J* at most 

(16) .^exp U - < exp (o.5c(.)-!f\) , 

\ log log nj \ log log h J 

provided that h is large enough (and c(i^) > 2c(z/ — !))• 
Consider now the set of polynomials of the form 

P{Z) = {xi + Z)... {x, + Z)-{bi + Z)... {b, + Z), 

where (xi, . . . ,Xu) runs through the set of all solutions of the congru- 
ence ( !T5l) such that 

{xi, . . . ,x^} n {61, ... ,6^} = 0. 

We note that each such polynomial P{Z) is nonzero and has a form 

P{Z) = c^Z"-^ + ... + c^.iZ + c„ 

with |q| < co{i^)eh\ i = 1, . . . , z/, where co(z/) depends only on z/. 
In particular, since P(s) = (modp), it follows that P{Z) is not a 
constant polynomial. 

Since we have P{s) = Po{s) = (mod p), we see that their resultant 
Res(P, Pq) satisfies 

(17) Res{P,Po) = (modp). 

On the other hand, from Corollary [311 we have that 

\Res{P,Po)\<Co{u)eh''"-\ 

with come constant Cq^u) that depends only on u. Therefore, taking 
£ = (Co{u) + i)-i/{^'-i) we have |Res(P, Po)| < P, which in view of ([HD 
implies that Res(P, Pq) = 0. 

Hence, every polynomial P{Z) has a common root with Po{Z). 

Let . . . , /3n-i, n < z/, be all the roots of Po{Z). For each /3 G 
. . . , /3n-i} we collect together all solutions (xi, . . . , Xy) to ( !T5l) for 



22 J. BOURGAIN, M. Z. GARAEV, S. V. KONYAGIN, AND I. E. SHPARLINSKI 

which P{/3) = 0. Thus, for some (3 G . . . , /3n-i} we have 

(18) r < exp (o.5ciu)-^^f^] +{u- 1) J**, 

V log log /ly 

where J** is the number of solutions of the equation 

(19) (a;i + /?)... (x, + /3) = (6i + /3) . . . (6, + /3) 

with 1 < Xi < h such that Xi ^ bj. This implies, in particular, that the 
left hand side of (fT9l) is distinct from zero 

By Lemma [251 conclude that /3 is an algebraic number of loga- 
rithmic height 0{\ogh) in an extension K of Q of degree [K : Q] < u. 
Now we have that 

Q 

where a is an algebraic integer of height at most O (log h) and g is a 
positive integer q <^h'^ . From the basic properties of algebraic numbers 
it now follows that the numbers 

V 

qxi + a, i = 1, . . . ,u, and ]^(Q'&j + «) 

i=l 

are algebraic integers of K of height at most 0{logh). 

Therefore, we conclude that for a sufficiently large h the equation ( fT9l) 
has at most 

(20) exp ( Ciu)-^) < exp ( 0.5c(.) ^'^^ 



log log h J \ log log h ^ 

solutions, where C(z/) is the implied constant of Lemma [27] and we 
also assume that c(z/) > 2C(z/). Collecting ( IT8l) and (120|) together and 
using (IT^ . we conclude the proof. □ 

Corollary 33. Let u > 2 be a fixed integer. Assume that for some 
sufficiently large positive integer h and prime p we have 

h < p'/'^-'-'K 

For s &¥p we consider the set 

A = {x + s : l<x <h} C¥p. 

Then 

where c(z/) depends only on v. 

We now obtain similar results for the set of fractions {x + s) /{x + t). 
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Lemma 34. Let u > 1 be a fixed integer. Assume that for some 
sufficiently large positive integer h and prime p we have 

h < p^"'', 

where c is a certain absolute constant. For pairwise distinct s,t G Fp 
we consider the set 

A = \ : 1< X < h \ C¥„. 

\x+t - - j - P 

Then 

V Vloglog/i/ 

where c(z/) depends only on v. 

Proof. We consider the collection V C Z[Zi, Z2] of polynomials 

V V V V 

P^,y{Zi, Z2) = l[{x, + Zi) Hiy, + Z2) - Hix, + Z2) Hiy, + Zi), 

1=1 j=l i=l j=l 

where x = (xi, . . . ,x^) and y = . . . ,y^) are integral vectors with 
entries in [0, h] and such that 

-fx,y(s,t) = (mod p). 

As in the proof of Lemma [32l we can assume that V contains non- 
zero polynomials. 

Clearly, every P G P if of degree at most 2i/ — 1 and of logarithmic 
height at most Sulogh. 

We take a family Vq containing the largest possible number 

N <{u + lf-l 

of linearly independent polynomials Pi, ... , P/v G V, and consider the 
variety 

V: P,{Z,,Z2) = ...=Pn{ZuZ2) = 0. 

We claim that f{Zi, Z2) = Z\ — Z2 does not vanish on V. 

Indeed, if f{Zi,Z2) vanishes on V then by Lemma [231 we see that 
there are polynomials Qi, ■ ■ ■ ,Qn G '^[Zi, Z2] and positive integers b 
and r with 

(21) log 6 < cou^{ulogh + u) < 2couHogh 

for some absolute constant cq (provided that h is large enough) and 
such that 

PiQi + . . . + PnQn = b{Z, - Z2y. 



24 J. BOURGAIN, M. Z. GARAEV, S. V. KONYAGIN, AND I. E. SHPARLINSKI 

Substituting {Zi, Z2) = and using that s and t are disctinct ele- 
ments of ¥p we obtain p \ b. Taking c = l/(2co + 1) in the condition of 
the theorem, we see from ( 121]) that this is impossible. 
Hence for the set 

u = vn[Zi- Z2^o] 

is nonempty. Applying Lemma 12^ we see that it has a point [Pi, P2) 
with components of logarithmic height 0{logh) in an extension K of 
Q of degree [K : Q] = 0(1). 

Let X = {0, 1, ... , h}. Consider the maps $ : X*^ — > Fp given by 



Xj + s 
Xj + 1 



and \1/ : X'^ — )■ K given by 



V 



^ : X = (xi, . . . , a;;,) H-^ J]^ 



Xj + (5i 



By construction of (/3i,/32) we have that \l/(x) = \[;'(y) if $(x) = $(y). 
Hence 

where Im\l/ is the image set of the map \1/ and 

C=!^±A : l<x<h\cK. 



X + P2 

Using Corollary [291 derive the result. □ 

2.10. Shifted Sets in Conjugacy Classes of Q^. We are now able 
to present our main technical tools. 

Lemma 35. Let a, (3, 6, (, X and S be as in LemmalMl For x G ¥p 

we define 

r{x)= max #{t G 5 : {t + CxY = A^ (mod p), z/ = 0, 1}. 

Then for e < p^~^ we have 

minr(x) <^p~^^S, 

where ^ > depends only on 6. 

Proof. Clearly r{x) < ro{x) + ri{x), where 

r^(x) = max #{t G T; : (t + C^) = (mod p)} 
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and To and 7i are as in Lemma EH Let d = {p — l)/e. We denote by xo 
the principal character modulo p and by Xi, . . . , Xd-i the other char- 
acters with x'j = Xo- Then, using the orthogonality of multiplicative 
characters (see [301 Section 3.1]), we write 

^ d-l 

ru{x) = - 5^ + Cx)xM^)- 
Thus, for z/ = 0, 1, 

Yl Xj{Cx + h)xj{Cx + h) . 

x£l ti ,42671/ 

The contribution of the principal character xo is Further- 
more, by Lemma [21] the contribution from any nonprincipal character 
is #X(#S)2p-''. Therefore, 

Y^uixf « ^#X(#S)2 + i^X{i^Sfp-\ = 0, 1, 

which concludes the proof. □ 
We also see that Corollary [331 yields: 

Lemma 36. Let 5 > Q he fixed. Let A he as in Corollary If 
A C rQe where r G F* and e < p^ then, 

h = (e'^"^) 

where cq is some ahsolute constant. 

Finally, we immediately derive from Lemma [211 

Lemma 37. Let 6 > he fixed. Let A he as in Lemma [^ If A Qe 
where e < p^ then, 

h = O (e-^^^^) 
where cq is some ahsolute constant. 

3. Main Results 

3.1. Hidden Shifted Power Problem. Here we give deterministic 
and probabilistic algorithms for the Hidden Shifted Power Problem 
that runs in about the same time as the interpolation algorithm, but 
use significantly less oracle calls. 



^ d-l 



7=0 
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Theorem 38. For a prime p and a positive integer e \ p — 1 with 
e < p^^^ , given an oracle (9e,s for some unknown s G 5*0 with a known 
Sq ^ Fp, 7^5*0 < e, there is a deterministic algorithm that for any 
fixed e > makes 0(1) calls to the oracle O^^s '^'^^ finds s in time 

gl+£Qogp)0(l)^ 

Proof. Let e = p^. First we consider the case of large e when p > 0.65. 

We fix some integer m > 3 so that p and e satisfy the condition of 
Lemma O We now make m caUs to Oe,s with j = 1, . . . , m, getting 

Aj = {s+jr. 

We now take a set Sm that consists of aU elements t ^ Sq, for which 

{t + jy = Aj, j = l,...,m. 

Thus, Sm is the set of candidates for s after m calls. To find Sm, we can 
test all elements t G 5*0. This requires the running time e(logp)'^^^''. 
Clearly, there are some aj E ¥*, j = 1, m, so that 

seSm^Son 

By Lemma [3] we see that ^Sm = 0{e'^^^'^'^~^^). The second part of 
our algorithm is iterative which starts with the set 5* = 5*^ with s G S* 
described in the above with an appropriate choice of m = 0(1) so that 
it is of cardinality j^S < e^/^"*"^ (which can be constructed after 0(1) 
calls), and then at each step it makes a call to Oe^s so that after its 
reply we get a substantially smaller set of candidates. 
More precisely, denote 

^9 = ^(3 + p- VTT7) 

and assume that at some stage we are given a set S* C Fp with s G 5 of 
cardinality < i^S < e^/^~*"^. We show how to make a call to Oe,s 
so that after its reply we get a set of candidates of the size reduced by 
a small power of p. 

Define a by j^S = p°' and note that for any 

(22) P>^(3-2a- Vl + 4^2^ 

and an appropriate 6 > the condition of Lemma [21] is satisfied so 
Lemma |35] applies. 
Take 

h = 

and for alH G S" and x G [0, h] compute the pairs {(t + xY, (t + C^^)"^), 
where ( is as in Lemma |2T1 We now order, for each x, the list of pairs 
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in the ascending order with respect to the first component and then 
with respect to the second component. Scanning this ordered hst we 
find X that satisfies the bound of Lemma [351 We use this x for the next 
two calls to get A = {x + sY and B = {(x + s)^. Then the new set of 
the candidates is defined as 



for some ^ > that depends only on a and /3. 

The total cost of this step is p^~^°^^^i^S. Since (3 is an arbitrary 
number satisfying (12^ . we see that it is possible to find this set in 



time O (p^^'^'^'^ v^T+4a^)/4+r) j arbitrary rj > 0. Since the above 



exponent is a monotonically increasing function of a and a < p/2 + e 
we see that the cost of each step can be made at most provided 
that 6 is small enough. 

The procedure terminates when we get the set S of candidates with 
< It is obvious that f l23|) implies that the procedure ter- 

minates after 0(1) steps and has the time compelxity e(logp)*^*^^^ + 
Since < p — 0.03 for p > 0.65, the total complexity of 
the above procedure is 0(e). 

The final part of our algorithm is also iterative which starts with the 
set S with #5 < /-"^ We take 



T = {teS : {t + xY = A, {t + CxY = B}. 




h = \e^-^^] and 



X= [0,h). 



For X G Fp we define 




Clearly 



(24) 



^R{x) 



where 



Q = ^ Ux,s,t) el X S X S : sj^t, 



X + s 



x + t 




We write 



(25) 



s,t(^S 
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where 

= #Q(s,t) and Qis,t) = \xel : ^^eg. 

As in the proof of Lemma [35] we put d = {p — l)/e, denote by Xo 
be the principal characters modulo p and by xii ■ ■ ■ iXd-i the other 
characters with Xj = Xo- We have 

d-l / , 

X + s 



X + t 



Using Lemma [18] we get 

Qis,t)<^ + 0{p'/Hogp). 
The substitution in ([25l) and then using ( j24l) implies 

Therefore, we see there is x G {0, . . . ,h — Ijsuch that 
(26) Rix)<{i^Sf(^ + O^P'^'''^^ 



JO — 1 \ h 

We can consider that 6 < 0.05. By the supposition on e and the choice 
of h we get 

R{x) « (#5)^-'. 
To find the desired value of x for which ([26]) holds, we simply compute 
(x + t)^ for all X = 0, . . . , /i - 1 and t e S in time /i#5'(logp)'^(^) < 

We now use any x that satisfies ([26]) for the next call and get A = 
{x + sy. Then the new set of the candidates is defined as 

T = {teS : {x + tY = A}. 

Clearly, we have 

#r < i?(x)'/2 + 1 ^ #Sj9-'^/2 + 1. 

We now repeat the same with T instead of S and search for a new 
appropriate value of x. 

Thus in 0(1) steps this procedure produces a set T of cardinality 
= 0(1) with s G T. Checking whether s = t for every element 
t & T takes at most #T = 0(1) calls to Oe,s with x = — t with t & T, 
until (9e s returns zero. This completes the proof when p > 0.65. 
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Finally, to prove the result for p < 0.65, we again start the algorithm 
with 0(1) calls to produce a set S such that s E S and #5* < e-^/^+^Z*^. 
We now take 

/i = [ei/2+./2j and X=[0,/i). 

Next, we define R{x),Q,Q{s,t), Q{s,t) as in the previous case. 
Denote 

Qis,t) X Q{s,t) = {{x,y) : x G Q{s,t), y G Q(s,t)}. 

Clearly 

#(Q(s,t)xQ(s,t)) = g(s,t)^ 

Note that if 

{x + s){y + s) ^ ^ 
(x + t)(i/ + t) 

then (since s ^ t) for each x G Q(s,t) there is at most one value of 
?/ G {0, . . . , /i — 1}. So such solutions contribute at most Q{s,t) to 
Q(s,t) X Q{s,t). Thus 

(27) Q(.,t)^-g(.,t)<#|x,i/GX : ^^||^e^e\{l}}. 

If for some a G \ {1}, "we have 

{x + s){y + s) 



(28) . ^. N - 

(x + t)(y + t) 

then we can write f l28|) in the form 

(a — l)xy + {at — s){x + y) + {at^ — s^) = 0, 

or 

(x + «)(?/ + m) = w, 

where 

at — s — at^ 2 

M = and V = + u . 

a — 1 [a — 1) 

Since v G F*, using Lemma [1], we see that the equation ( !28|) has at 
most /;,3/2+o(i)p-i/2 _|_ ^o(i) solutions. We now see from ( I27|) 

(29) Q(s, t)2 < e (/i3/2+"(i)p-i/2 + J^oil)^^ ^ 

(here and throughout the proof we write o(l) for a quantity that tends 
to zero provided that e — ?■ oo). 

Furthermore, under the assumption that p < 0.65, taking a suffi- 
ciently small e, we have < p^^^. Therefore the bound fl29|) simplifies 
as 
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Therefore, the substitution in ( l25l) and then using imphes 

Thus, recalhng the definition of h, we see there is x G {0, . . . ,h — 1} 
such that 

(30) R{x) < {#Sf e^/'/i-i+°(^) = (#S)' e-^/2+°(i) < (#S)' e~'/\ 

To find the desired value of x for which fl5U]) holds, we simply com- 
pute (x + ty for all X = 0, . . . , /i and t G 5* in time h^S(\ogp)^^^^ < 

gl+£Qogp)0(l)_ 

We now use any x that satisfies fl30l) for the next call and get A = 
{x + sy. Then the new set of the candidates is defined as 

T = {teS : {x + tY = A}. 

Clearly, we have 

#T < #5e-« + 1 

for some ^ > that depends only on e. 

We now repeat the same with T instead of 5* and search for a new 
appropriate value of x. 

Thus in 0(1) steps this procedure produces a set T of cardinality 
= 0(1) with s G T. Checking whether s = t for every element 
t & T takes at most #T = 0(1) calls to Oe,s with x = — t with t & T, 
until (9e,s returns zero. This completes the proof. □ 

Corollary 39. For a prime p and a positive integer e \ p — 1 with 
e < p^~^ , given an oracle O^^s for some unknown s G Fp and i-th 
power nonresidues for all prime divisors C. \ e, there is a deterministic 
algorithm that for any fixed e > makes 0(1) calls to the oracle Oe,s 
and finds s in time e"'^"''^(logp)'^^"'^^ 

Proof. We make the first call to Oe,s with x = 0, getting Aq = s^. If 
^0 = then s = and we are done. Now assume that Aq ^ Q. 
We see from Lemma [8] that we can construct the set 

(31) So = {t : r = A,} 

of candidates for s in time e{\ogp)^^^\ Now it suffices to use Theo- 
rem [33 □ 

Corollary 40. For a prime p and a positive integer e \ p — 1 with 
e < p^^^ , given an oracle Oe,s for some unknown s G ¥p, there is a 
deterministic algorithm that for any fixed 5 > makes 0(1) calls to 
the oracle Oe,s and finds s in time O (ep^). 
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Proof. We can consider that e < 1/2. Trivially, e can be factored in 
time 6^^"^^°^^^ For any prime i \ ewe take ag so that — 1. Denote 
y — [P^\ ■ ^'^^ X = 1, . . . ,y we take 'yi{x) as the largest nonnegative 
integer 7 < so that 

(modp). 

Next, we denote 

= min{7£(x) : 1 < x < y} 
and for any prime i \ e we choose x = x{i) so that 7^(x) = 7^. Let 

e\e 

£ prime 

We have x^^^^-*/" = 1 (mod p) for all x = 1, . . . , Therefore, from 
Corollary [H] we deduce that n < (l/e)'^^'^ for some absolute constant 
c. The running time for finding n and all x{i) is p^(logp)'^^^''. Us- 
ing Lemma [121 we find a set So of candidates for s of cardinality at 
most e in time e(logp)*^^^-'r;,*^^^^. By Theorem |38l we find s in time 
O ((e^"'"'^ + p^) (logp)'^*^^^) . Replacing e with e/2, we get the running 
time 

O ^ pe/2^^ (logp)°(^)) = O {e^+' + p') = 0{ep') 

as required. □ 

More precisely, it is easy to see that in the algorithm of Corollary HQ] 
the number of calls to the oracle Oe,s needed to find 5*0 and the running 
time for this step are bounded by 

and p'{hgpf^^^ + e{\ogpf^^\l/ef^^/'\ 

respectively, where c is an absolute constant. 

We note that the Extended Riemann Hypothesis implies that for the 
smallest i-th power nonresidue modulo p is 0((logp)^) (uniformly over 
primes i \ p — 1), see [361 Chapter 9, Corollary 1]. Hence, we obtain: 

Corollary 41. Assuming the Extended Riemann Hypothesis, for a 
prime p and a positive integer e \ p — 1 with e < p^^^ , given an oracle 
Oe^s for some unknown s G Fp, there is a deterministic algorithm that 
for any fixed e > makes 0(1) calls to the oracle Oe^s one? finds s in 
time e^"'"'^(logp)'^*^"'^^ 

We also note that by a result of Burgess and Elliott [13] for almost 
all primes p the smallest primitive root is (logp)^"*"^ for any e > 0, see 
also [24j. Thus for almost all primes we have an unconditional version 
of Corollary W\\ 
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We now present a probabilistic algorithm which is slightly more ef- 
ficient in some cases. 

Theorem 42. For a prime p and a positive integer e \ p — 1 with 
e < p^^^ , given an oracle Oe,s for some unknown s G ¥p, there is a 
probabilistic algorithm that makes in average 0(1) calls to the oracle 
Oe^s and finds s in the expected time e(logp)*^''"^^ 

Proof. We again start from the first call to Oe,s with x = 0. Using 
a probabilistic algorithm, we can find the set 5*0 given by (!3T|) in the 
expected time e{\ogp)^'^^\ see [271 Corollary 14.16]. Then we make 
next calls with random xi, . . . , a;^ where 

31ogp 
[log(p/e)J 

For any j and any $2 the probability of the event 
(32) (xj + si)/{xj + ss) e Ge 

is at most e/p. Hence, by the choice of the probability of the event 
{xj + Si)/{xj + S2) G Qe for all j is at most {e/pY < p~^. Next, the 
probability that for some Si 7^ S2 we have (l32l) for all j is at most 
1/p. Therefore, the random choice of Xi, . . . , Xj, determines s with high 
probability. To find s we have to test elements from 5*0. This can be 
done in time e{\ogp)^'^^\ and the result follows. □ 

The following result is applicable to the case when e does not satisfy 
the restriction in Theorem [38] (namely, to e = p^^°^^^ as j9 — )■ 00). 

Theorem 43. For a prime p and a positive integer e \ p — 1, given an 
oracle Oe,s for some unknown s G Fp, there is a deterministic algorithm 
that makes O (logp/(log(]9/e))) calls to the oracle Oe,s and finds s in 
time p(\ogp)'-^^^^ . 

Proof. For e < p^'^ the result follows immediately from Theorem [3H1 
We now assume that e > p^'^. 

Again, we fix some integer m > 1 and now make m calls to (9e,s 
with j = 1, . . . , m, getting Aj = [s + jy. If Aj = for some j, then 
s = —j and we are done. Hence we can assume that Aj 7^ for 
j = 1, . . . , fi. Our immediate aim is to estimate the cardinality of the 
set Sm of candidates after m calls: 

Sm = {xe¥p : {x + jy = Oj, j = 1, . . . ,m}. 

As in the proof of Lemma [35] we put d = {p — l)/e, denote by Xo 
be the principal characters modulo p and by Xi: ■ ■ ■ yXd-i the other 
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characters with xf = Xo- The condition = Aj determines the values 
Xi{x) = ttij. We have 

d—l m 
il,...,im=0 i=l 

Applying Lemma [17] we get 

ifSm = d-'^ip -m) + 0{mp"^). 

Setting 

logp 



+ 1, 



21og(p — 1)/ loge 

we have < We need the running time p(logp)'^''"^^ to find 

Now we proceed as in the proof of Theorem [38] with 

h= V/'(logp)' . 
-e 

After the j-th call, j > m, we get the set S = Sj of candidates for s. 
Next, we define R{x),Q,Q{s,t), Q{s,t) as in Theorem [381 Using f[26l) 
we get the new set S = Sj of candidates for s with 

< max {1, (1 + o(l))(e/p)i/2^5,} . 

Thus in <^ logp/(logp/loge) steps this procedure produces a set T of 
cardinality #T = 0(1) with s E T. Checking whether s = t for every 
element t E T takes at most #T = 0(1) calls to Oe,s with x = —t 
with t E T, until (9e,s returns zero. Since the time to find S'j+i is 
{log p)'-^^^^h^Sj < p{logp)'^^^\ we obtain the desired result. □ 

Combining Corollary [39] and Theorem [33] we get the following result: 

Corollary 44. For a prime p and a positive integer e \ p — 1, given an 
oracle O^^s for some unknown s G Fp, and i-th power nonresidues for 
all prime divisors I \ e, there is a deterministic algorithm that for any 
fixed e > makes O (logp/(log(p/e))) calls to the oracle Oe,s and finds 
s in time e^'''^(logp)'^''"'^^ 

3.2. Shifted Power Identity Testing with Known t. 

Theorem 45. For a prime p and a positive integer e \ p — 1 with 
e < p^~^ for some fixed 6 > 0, given an oracle Oe^s for some unknown 
s E¥p and t G ¥p, there is a deterministic algorithm to decide whether 
s = t in time e^/'^"'"°*^-'^)(logp)'^^^'' as e oo. 
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Proof. For integers a and H with 0<a<a + if<p, we consider the 
interval X = [a + l,a + H] of size H < p^^^. 

Fix some integer m > 1 so that p and e satisfy the condition of 
Lemma [31 We put £ = m\, 4 = m!/(s + 1), s = 1, ... ,m — 1, and 
K = [H/i\ . 

Let J = {a + £,..., a + iK}. Thus J <ZX. Let ^ = J/ J, that is, 
A={]i/32 ■■ Juj2 e J}. 
By Lemma [2] we see that 

has solutions as H ^ oo. Therefore, 

(33) #^ > if2+o(i)_ 

Next we observe that 

A + s C {{s + l)u : uel/I}, 

since 

a + ^ ^ ^^^a + s^i + ^/i 
a + ii a + £i 

and + ish < {s + l)isK < H. 

Clearly if X e rQ^ then A ^ Qe and A + s ^ {s + l)Ge- The system 
of equations 

Xo + S = Xs, Xs ^ {s + l)Qe, s = 0,...,m-l, 

has at least i^A solutions of the form xq E A, Xs = Xq + s, s = 1, . . . ,m. 
We now set 

for a sufficiently small e > 0. By Lemma[3]we have ^ g(m+i)/{2m+i) 
which, for a sufficiently large m and the above choice of H, contra- 
dicts (1331) . Since e > is arbitrary, we now complete the proof by 
simply choosing y = [^,H] and recalling ([3]). □ 

For large values of e we can use bounds of character sums. 

Theorem 46. For a prime p and a positive integer e \ p — 1 with 
e < (p — l)/2, given an oracle Oe,s for some unknown s G Fp and 
t G Fp, there is a deterministic algorithm to decide whether s = t in 
time p^/^+°W as p oo. 
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Proof. We argue as in the proof of Theorem H5l Recalhng ([3]), we see 
that for any multiphcative character x of order e of F* we have 



We now fix a sufficiently small e > and take y = {1, . . . ,h} where 
h = \p^^^^^~\ . Applying Lemma [19] with a large enough u, we obtain a 
contradiction. Since e > is arbitrary, the result now follows. □ 

Collecting the results of Theorems |45] and HH] we obtain an algorithm 
of complexity e^^'^p"^^'^ for any e < {p — l)/2. 

For small values of e we can use Lemma [3S] to derive the following 
result: 

Theorem 47. For a prime p and a positive integer e \ p — 1 with e < p^ 
for some fixed 6 > 0, given an oracle Oe,s for some unknown s G Fp 
and t G Fp, there is a deterministic algorithm to decide whether s = t 
in time e'^"'^(logp)'^^^-', where Cq is some absolute constant. 

For e \ p — 1 with e < (p — 1)/2 we define A^(e) as the largest H such 
that for some x G Fp and r G F* we have x + 1, . . . ,x + H E rQ^- We 
see from the proofs of Theorems US] and US that 

(34) N{e) < ei/^+°(i) 
as e — )■ oo. 

Lemma [36] gives the following improvement of (jMl) for small e. If 
e < p^ then 

(35) N{e) = O (e""^) . 
In particular, 

N{e) = e"^^^ 

as e = p"'^^'^ and e — oo. 

3.3. Shifted Power Identity Testing with Unknown t. For large 
values of e we have the following simple result. 

Theorem 48. For a prime p and a positive integer e \ p — 1 with 

e < (p — l)/2, given two oracles Oe,s and Oe^t for some unknown s,t E 

¥p, there is a deterministic algorithm to decide whether s = t in time 
pi/2+o(i) ^ 

Proof. We note that by Lemma [TT] li s ^ t then for h = ['^^/^(logp)^] 
and sufficiently large p, the condition ([T|) fails for at least one x = 
1, . . . ,h. The algorithm is now immediate. □ 
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For e < p^/^ we have a stronger result. 

Theorem 49. For a prime p and a positive integer e \ p — 1 with 
e < (p — l)/2, given two oracles Oe,s and O^^t for some unknown s,t E 
¥p, there is a deterministic algorithm to decide whether s = t in time 

max{ei/V(i\eV'+°^'^}- 

Proof. We fix some integer h and assume that ([1]) holds for every x G 
{0, . . . ,h} and s t. 

Then there are {h + 1)^ values of x, y G {0, . . . , /i} we have 

{x + s){y + s) 
{x + t){y + t) 

On the other hand, as we have shown in the proof of Theorem [38] (see 
the bound fl2I?l) ). there are at most e{h^^'^~^°^^^p~^/'^ + h°^^^) such pairs 

Thus, fixing an arbitrary e > and taking 

h = ma.x{e^^^p'' , e'^p'^'^"} , 

we see that ([1]) cannot hold for every x E {0, . . . , h} unless s = t. Since 
£ > is arbitrary, the result follows. □ 

Combining Theorems SH] and SHI we obtain an algorithm of complex- 
ity 

r if e < p^/^ 

Tp(e) = p°^'^ \ e^p-i if p2/3 < e < ^3/4^ 

[ if p3/4 <e<{p- l)/2. 

In particular, Tp(e) < e^^^p"^^^ for any e < (p — l)/2. 

For small values of e we can use Lemma [37] to derive the following 
result: 

Theorem 50. For a prime p and a positive integer e \ p — 1 with e < p^ 
for some fixed 6 > 0, given two oracles O^^s o,nd O^^t for some unknown 
s,t E ¥p, there is a deterministic algorithm to decide whether s = t in 
time e'^'"^^''^(logp)'^^^'', where cq is some absolute constant. 

In particular, we see from Theorem [SD] that if e = p°^^^ and e — )■ oo 
then we can test whether s = t in time e°*-^^(logp)*^''^'* in e°*-^^ oracle 
calls. 

4. Comments and Open Questions 

Probably the most challenging question is to design a deterministic 
algorithm for the Hidden Shifted Power Problem which is faster than 
interpolation. 
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We note that the constants in Lemmas 1361 and 1371 and the bound ( 135|) . 
can easily be made exphcit. It is a natural question to obtain good 
numerical values for these constants and thus fully explicit versions of 
Theorem |47] and HH 

As we have mentioned, Lemma [32] solves an open problem from [18j. 
Furthermore, the arguments used in the proof of Lemmas [32] and [Ml can 
be used for several other problems. They can also be used to generalise 
and improve some of the results of [TI] about intersections of intervals 
and subgroups of F*. 

We have proven that for any e < {p — l)/2 the minimal number of 
calls to oracle O^^s to find s is p°^^\ However, one can study a more 
general problem. Let A C Fp. We define 0^,s as an oracle that on 
every input x G Fp outputs 1 is x + s G ^ and otherwise, where s is 
a "hidden" element s G Fp. 

Open Question 51. Is it true that for any fixed 6 G (0, 1/2) and for 
any set ^ C Fp with 6p < < (1 — S)p there is a deterministic 
algorithm that finds s after p°^^^ calls (or even O(logp) calls) to the 
oracle Oj^^s as p ^ oo? 

It is also important for applications to pairing based cryptography 
to extend our results to arbitrary finite fields. We note that analogues 
of some of the results we have used are also known for arbitrary finite 
fields. For example, versions of Lemma [19] has recently been obtained 
for arbitrary finite fields, see [HI [TTJ [32] . Lemmas [161 113 and [18] can 
also be easily extended to arbitrary fields. However analogues of many 
other results, such as Lemmas [H [3] and HH are not known for arbitrary 
finite fields. 

As we have mentioned, there are efficient quantum algorithms to 
solve the Hidden Shifted Power Problem. However they require a quan- 
tum oracle Oe^s- It is certainly natural to investigate how much speed- 
up quantum algorithms can provide in the case of a classically given 
oracle Oe^s (that is, as in all results of this work). 

Finally, it is also interesting to consider similar problems in the case 
when the "noisy" oracles, which, with a certain probability, for a given 
input does not return any answer or even may return a wrong answer. 
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